I started using fnox to implement encrypted environment variables in my projects. For simple use cases, age-encryption can be used to store secrets locally but it can also be integrated with cloud secret management services and password managers. It also supports multiple providers simulataneously, as well as multiple profiles.
When using age as the encryption provider, anyone can add/update encrypted secrets, but only those with the private keys can decrypt them.
Initialize fnox using
fnox initto create afnox.tomlconfiguration file:fnox initExample configuration
default_provider = "age" [providers.age] type = "age" recipients = ["age1qgkrnkprrzkpvnysfhjg2sgxvx5vmpfakkg8z25m39g8zx6xesmq4wgw5u"]About recipients Usually I add 2 recipients:
- My development machine. I use my SSH key as a recipient. I can just put the public key (
ssh-ed25519 AAAAC3Nza...)in therecipientslist. I can easily grab my public key from GitHub by going tohttps://github.com/[username].keys. - My deployment server. I generate a new age key pair using
age-keygenand put that public key in therecipientslist. The private key is stored securely on the server.
- My development machine. I use my SSH key as a recipient. I can just put the public key (
Add secrets using
fnox set:# Select a profile (optional) # export FNOX_PROFILE=server1 # Set a secret (prompts for value) fnox set DATABASE_URL # Or provide the value directly fnox set DATABASE_URL "postgresql://localhost/mydb"Anyone can add/update secrets Since it uses asymmetric encryption, anyone can add or update secrets without requiring the key, but only those with the private keys can decrypt them.
Run a command with
fnox execto have the secrets injected as environment variables:fnox exec -- pnpm startProviding the secret key Secret key can be provided via environment variable:
FNOX_AGE_KEY(specify the private key directly)FNOX_AGE_KEY_FILE(specify a file containing the private key, which can also be an SSH private key if using SSH keys as recipients)